An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Page 1 of 2 1 2 >
Topic Options
#53803 - 03/26/20 08:13 AM Do I have Malware?
Rain Offline


Registered: 07/17/11
Loc: London UK
I use a MacBook Pro 2013 running 10.12.
About a month ago I opened a link on an email that I believed was a FlashPlayer update from Adobe. When I examined the sent from address it was from "adobes systems.com" (with a double s).
My Mac has started to behave strangely over the past 3-4 weeks, initially It wouldn't send or receive emails (then they started to drip through slowly), this is still occurring.
Now I find that I can't change my default search engine in Safari, I use Bing but now it says Bing in the preferences but goes to Yahoo and won't let me change it. If I go to say "google.co.uk" and perform search the result page comes up as Yahoo.
The machine is getting a bit sluggish and doesn't seem to want to load pages very quickly.
I believe that this may be Malware.........any thoughts? (and if it is what should I do)
Thanks

Top
#53804 - 03/26/20 08:32 AM Re: Do I have Malware? [Re: Rain]
Ira L Offline


Registered: 08/13/09
Loc: California
Start by running some sort of malware/virus checker. If you don't have one, download and run in free mode MalwareBytes.
_________________________
On a Mac since 1984.
Currently: 27" iMacs, Macbook Air, macOS 10.15.x,; iPhones, iPods and iPads galore!

Top
#53805 - 03/26/20 08:34 AM Re: Do I have Malware? [Re: Rain]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Download, install, and run MalwareBytes It may pick something up. You can also try Scam Zapper as well as Virus Barrier (at App Store).

When the dust settles, either ditch Flash or download only directly from Adobe.
_________________________
Jon

macOS 10.15.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#53806 - 03/26/20 08:40 AM Re: Do I have Malware? [Re: Rain]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
A cardinal anti-malware rule is never install updates or upgrades from links in emails. If you believe the update may be valid navigate directly to the publishers web site in your browser and download the latest version from there.

At this point you are going to need help in determining whether or not your MBP is infected and if so with what. There are any number of anti-malware products on the market and you can take you pick. The one I use is MalwareBytes which you can downloaded use free for 14 days.

P.S. After I posted I saw Jon and Ira got in while I was thinking. At least we all had the same recommendation for MawareBytes.


Edited by joemikeb (03/26/20 08:44 AM)
Edit Reason: P.S.
_________________________
joemikeb • moderator

Top
#53810 - 03/26/20 10:37 AM Re: Do I have Malware? [Re: Rain]
Rain Offline


Registered: 07/17/11
Loc: London UK
Thanks for the swift replies everyone. So I have downloaded and used Malwarebytes which reported 6 items quarantined.
After a restart the email is back working fine again, but the search engine in Safari is stuck firmly on Yahoo........... but says Bing.
Any further thoughts?

Top
#53811 - 03/26/20 10:51 AM Re: Do I have Malware? [Re: Rain]
jchuzi Online


Registered: 08/04/09
Loc: New York State
A stab in the dark: delete any Yahoo and/or Bing cookies. You could also clear Safari caches by pressing Command-Control-E. Restart Safari and see if that worked. (The downside of clearing caches is that site icons will have been reset to generic, but they will regenerate as you revisit those sites.)


Edited by jchuzi (03/26/20 10:52 AM)
_________________________
Jon

macOS 10.15.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#53812 - 03/26/20 11:00 AM Re: Do I have Malware? [Re: Rain]
artie505 Online


Registered: 08/04/09
Originally Posted By: Rain
...the search engine in Safari is stuck firmly on Yahoo........... but says Bing.

What do you see at Safari > Prefs > Websites > Search engine:?
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53813 - 03/26/20 11:09 AM Re: Do I have Malware? [Re: artie505]
jchuzi Online


Registered: 08/04/09
Loc: New York State
Artie:

In Safari 13.1, I don't see "Search engine" listed in Safari > Preferences > Websites but I do see "Search engine" in Safari > Preferences > Search
_________________________
Jon

macOS 10.15.6, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365

Top
#53814 - 03/26/20 11:19 AM Re: Do I have Malware? [Re: jchuzi]
artie505 Online


Registered: 08/04/09
I spaced out there, Jon. You're correct: Safari > Prefs > Search > Search engine:

Thanks.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53815 - 03/26/20 12:51 PM Re: Do I have Malware? [Re: artie505]
Rain Offline


Registered: 07/17/11
Loc: London UK
Hi, thanks for the suggestions. I have deleted two Bing & two Yahoo cookies and cleared the cache. Still no change.
Safari-prefs-search; still says Bing and stays on Bing when I try to change it.

Top
#53816 - 03/26/20 05:38 PM Re: Do I have Malware? [Re: Rain]
artie505 Online


Registered: 08/04/09
I looked through Safari's entire configuration and couldn't find a single file that sounded like a likely candidate, so more or less for the heck of it, try quitting Safari, moving Yourhomefolder/Library/Preferences/com.apple.Safari.plist to your desktop, restarting your Mac, and launching Safari to see what happens. Safari will create a new file, and if your issue is corrected, you can trash the one on your desktop, and if not, you can move it back and overwrite the newly created one. (I'll concede in advance that I"m not terribly optimistic about this, but it can't hurt and may actually turn the trick.)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53817 - 03/26/20 11:16 PM Re: Do I have Malware? [Re: artie505]
Rain Offline


Registered: 07/17/11
Loc: London UK
Thanks for the new idea. I have tried it but no change...............looks like i'm stuck in Yahoo hell!

Top
#53818 - 03/26/20 11:57 PM Re: Do I have Malware? [Re: Rain]
artie505 Online


Registered: 08/04/09
I took a more focused look and found the file that changes when I change search engines.

Try the exact same procedure with Yourhomefolder/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist (Be sure to quit, move, restart, launch, and with a bit of luck it'll be your answer.)

Other prefs will be affected if you wind up trashing that file, so I suggest that you check all of yours afterwards.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53823 - 03/27/20 08:38 AM Re: Do I have Malware? [Re: artie505]
Rain Offline


Registered: 07/17/11
Loc: London UK
Ok I have followed the pathway you suggest and I have a slight difference.
Where you have: containers/com.apple.safari
I have: containers/com.apple.Safari.CacheDeleteExtension

Also where you have Preferences/com.apple.Safari.plist
I have: com.apple.Safari.CacheDeleteExtension.LSSharedFileList.plist

Should I continue?

Top
#53832 - 03/27/20 02:12 PM Re: Do I have Malware? [Re: Rain]
artie505 Online


Registered: 08/04/09
Safari in Sierra is a different beast than Safari in Catalina, but luckily I've still got a High Sierra installation, and its Safari appears to be the same as yours.

That said, ignore my previous suggestion and try the procedure with: YourShortUserName/Library/Cookies/com.apple.Safari.SearchHelper.binarycookies

It's the most likely culprit I could find.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53833 - 03/27/20 03:21 PM Re: Do I have Malware? [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Artie you were right they first time the search engine setting is in ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist
or at least that is the case on my system running MacOS 10.15.4.

Why the directory structure to get to that is so baroque I have no idea.
_________________________
joemikeb • moderator

Top
#53834 - 03/27/20 04:17 PM Re: Do I have Malware? [Re: joemikeb]
artie505 Online


Registered: 08/04/09
That's the Catalina file that changed when I changed my search engine pref, but it doesn't exist in either Rain's Sierra or my High Sierra.

Nor have I been able to locate its exact equivalent. The last file I fingered exists in both High Sierra and Catalina, but its contents may differ between the two.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53836 - 03/27/20 04:42 PM Re: Do I have Malware? [Re: artie505]
joemikeb Online

Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
After numerous unsuccessful attempts using ⌘F (Finder) and Spotlight, I switched to Find Any File and searched for content containing DuckDuckGo (my chosen search engine) and a file name ending in .plist which turned up several files. I then opened the suspects in Xcode to confirm it was the file I was looking for.

That technique should work in almost any version of MacOS. If Xcode isn't available to verify it is the correct file TextEdit should work.
_________________________
joemikeb • moderator

Top
#53837 - 03/27/20 04:53 PM Re: Do I have Malware? [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Find Any File is my go to. (I haven't even got a Spotlight icon in my menu bar!)

I already tried your search and wasn't successful, but I tried without booting into High Sierra. I'm going to boot into it later and report back. Changing my search engine pref will hopefully flag a file with an in-your-face modification date, same as it enabled me to identify the correct Catalina file.

Since TextWrangler bit the dust I use BBEdit (Basic) for examining files.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53838 - 03/27/20 11:16 PM Re: Do I have Malware? [Re: artie505]
artie505 Online


Registered: 08/04/09
I. AM. TRULY. BEAT!!!

I booted into High Sierra, changed my search engine pref time after time after time, and searched with Find Any File after each change, and not a single search, either by name, file content, or last modified date identified whatever changed along with my pref.

¯\_(ツ)_/¯


Update: Found it!

Well, maybe.

The only file in High Sierra that changes as I change my search engine pref is /Users/artie/Library/Preferences/.GlobalPreferences.plist. Note the dot. I originally missed the file because I was filtering out invisibles.

Code:
<key>NSPreferredWebServices</key>
	<dict>
		<key>NSWebServicesProviderWebSearch</key>
		<dict>
			<key>NSDefaultDisplayName</key>
			<string>DuckDuckGo</string>
			<key>NSProviderIdentifier</key>
			<string>com.duckduckgo</string>
		</dict>
	</dict>

I'm confused, though, by the info being stored in two places in Catalina, i.e. the file I previously identified AND this new one.

The file in question seems to be the repository for an awful lot of prefs, so I hesitate to tell Rain to delete it.

I've got no idea where to go from here.


Edited by artie505 (03/28/20 12:33 AM)
Edit Reason: Update
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53839 - 03/28/20 01:14 AM Re: Do I have Malware? [Re: artie505]
Rain Offline


Registered: 07/17/11
Loc: London UK
Hi Guys, I have tried the cookies suggestion and no luck.

Top
#53840 - 03/28/20 01:29 AM Re: Do I have Malware? [Re: Rain]
artie505 Online


Registered: 08/04/09
Totally not surprised. frown

My previous post kinda sums up the situation from my point of view, but joemike may be able to help. (A "defaults write" command may be the way to go, but composing it is beyond my capability.)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53841 - 03/28/20 02:17 AM Re: Do I have Malware? [Re: artie505]
Rain Offline


Registered: 07/17/11
Loc: London UK
Well I really appreciate your efforts, and at least my email is working again.
Thanks

Top
#53842 - 03/28/20 02:24 AM Re: Do I have Malware? [Re: Rain]
artie505 Online


Registered: 08/04/09
I've been meaning to ask if there's a particular reason that you're stuck in Sierra, because if you upgrade to just High Sierra your Safari will be updated to a later version, which may make your problem easier to deal with.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#53847 - 03/28/20 09:25 AM Re: Do I have Malware? [Re: artie505]
Rain Offline


Registered: 07/17/11
Loc: London UK
Mainly because I have quite old kit and applications, which seem to falter after each upgrade, and to keep a bit of consistency over the 3 machines in our household.

Thanks again.

Top
Page 1 of 2 1 2 >

Moderator:  alternaut, dkmarsh, joemikeb